Automatic Authentication

Trying to wrap my head around the security behind automatic authentication...

So I see the Endpoint Encryption loading something in Pre-Boot, and then it goes straight into the Windows logon screen. At what point does the drive become unencrypted? Are the contents of the drive still encrypted until an authenticated user logs on to Windows? If the drive is unencrypted at the logon screen, then what's the point of encrypting it in the first place?

We're looking to streamline the sign-on process as much as possible, but not to the point where we make the encryption pointless.

You can verify via the SEE Admin/User client or from the Manager Computer/Console if a disk is encrypted or not. The state of encryption isn't specifically linked to the authentication options you choose.

As far as your implementation goes (full disk encrypted endpoint machine with automatic authentication) the drive itself is encrypted, so is protected from attempts to read/manipulate the drive with other bootable utilities, password crackers that boot from CD/USB, and anything else that doesn't have access to the keys. But because it boots straight into Windows, you are essentially reliant upon the security of Windows itself. Once it's all up and loaded, it has the same exposure as a normal Windows machine and is open to all of Windows vulnerabilities and attack vectors.

It sounds like you may want to switch to requiring authentication, and enabling single sign-on. This means when a encrypted machine is started it boots straight into the hardened pre-boot auth environment, but will then load straight into the profile of whichever registered user logs on. This is normally the recommended auth option.